Flare-On 2015 #4

Ok let’s start the sample first:

Well, 2 +2 = 4, that’s right. Let’s have a look on the Imports:

That’s not very much. Maybe it’s packed!? Let’s check it with ExeinfoPe:

Seems to be packed with UPX. This should be easy to unpack. Let’s try it with UPX itself:

Let’s start it again:

Hm, it does not even start so will also have no chance to debug in Olly because it will crash before I can step through the code. Something must went wrong with the unpacking. We’ll try to unpack it manually. We’ll use a WinXP VM since Win7 and Win8 does not work for some reason. There are a lot of really good tutorials how to unpack UPX manually so i’ll skip all the details here.

Olly will wait on the EP B440:

Step over the PUSHAD instruction and “Follow Dump” the ESP register:

Memory Breakpoint “On Access” at 12FFA4:

Let’s run the binary. It will stop at the Memory Breakpoint you set. Scroll down a little bit and you will identify a far jump (0x40b61A) and a lot of crap code below.

Set a breakpoint at the jump:

Run until the JMP and step over it. You will land at the OEP of this binary (0x403A8A):

Dump the process with OllyDump:

Press dump and save the file. Don’t quit Olly because we’ll need to fix the imports first. Start Import REConstructor and fix the IAT:

Type in the OEP which is 3A8A (see the screen above) and press IAT AutoSearch:

As Import ReConstructor tells us, we press Get Imports and finally “Fix Dump” to save the file.

Now we’re trying to start the unpacked sample again:

Looks good. Now we can try to run it in OllyDbg. I’ll skip again all the try and error and just show my breakpoints:

The last breakpoint is the one where the magic happens but just see youself:

 

Did I already mention that writing blog posts is a shitload of work?

 

This entry was posted in Reverse Engineering and tagged . Bookmark the permalink.